Standard Web technology allows loading of a piece of executable script from multiple domains synchronously. For example, a first document, such as the web page
http://www.abc.com/main.html
is allowed to include a piece of JavaScript from
http://srv.main.abcrtm.com/dynamic
The loaded JavaScript will be executed in the context of the first, in some examples main, HyperText Markup Language (HTML) document and is allowed to freely modify the main.html document. The capability of loading script from multiple domains is generally considered safe.
The loading of the executable script is synchronous. It means, once the loading of JavaScript starts, the rendering of the main.html document is blocked until the “dynamic” script is loaded and executed. After the script is executed, the main document continues to render until finished.
The synchronous behavior of script loading introduces two problems. First, if the script is large, it will block the rendering of the entire (e.g., a composite—the first document augmented with the executable script) document for an extended period of time. This degrades end user experience. Second, the script is considered by a document compositing device, which may be a web browser running on a personal computer or laptop computer, as a part of the document and cannot be loaded on-demand in response to a user action.
In recent years, a technology called AJAX (Asynchronous JavaScript and XML) emerged. This technology allows loading of dynamically generated content asynchronously and on-demand. For example, a piece of dynamically generated HTML content or XML document can be loaded in response to a user action. This technology, if applied properly, can improve the responsiveness of web applications and enhance the end user experience. However, loading of HTML or XML content across multiple domains is not considered safe. If it is allowed, a malicious web site can easily hijack pages on other web sites.
AJAX technology as a matter of principle blocks the interaction between the main document and dynamically loaded content coming from a different domain. This restriction can be relaxed slightly by downgrading the domain attribute of a document to its second level root domain. For example, a document on www.abc.com can be downgraded to domain abc.com; while a document on svc.main.abcrtm.com can be downgraded to ebayrtm.com. If the main document and the dynamic content (e.g. HTML or XML content) share the same second level root domain after the downgrading, they are allowed to communicate with each other.
However, if the dynamic content is on a different second level root domain, it is strictly not allowed to access the main document. For example, a main.html document can be downgraded to domain abc.com. If the content is coming from another second level root domain such as abcrtm.com, it is not allowed to access (e.g., read/modify) the main.html document at all.
For more detailed description for this restriction, please refer to the Microsoft technical document located at:
http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.a
However, a single web content provider, such as an Internet company can own multiple domains. For example, eBay owns www.ebay.com, www.paypal.com, www.shopping.com etc. All contents within those domains are considered safe within eBay. There is a need to safely retrieve content from multiple domains and combine or compose them together asynchronously to form the final rendition—which may be the visible depiction of the web page.